Social engineering assessments
Professional industrial espionage often involves physical attacks or insiders, even if the target is in cyber space. Nevertheless, this attack vector is frequently underestimated.
Social engineering: attacks via unexpected paths
Many companies focus on protecting themselves against attacks from cyber space by securing their systems, setting up security monitoring and sensitizing their employees to phishing e-mails.
However, attackers can also take unexpected paths, depending on their motivation and capabilities: on site, it is easy for an attacker to obtain internal information, and if things get complicated, they can simply ask.
Benefits of social engineering assessments
Procedure and background information
Crucial to a successful assessment is good preparation. One small mistake and the situation can get out of control or we fly off the handle and have to quit. Then we would have invested a lot of time and effort for little gain in knowledge.
That is why we prepare the assessment thoroughly together with you:
- We define goals that are simultaneously challenging, but also realistic and that generate concern. This increases the acceptance of the measures derived.
- The circle of those informed must be well considered; the situation must not escalate, nor must there be too many insiders.
- Clearly defined rules and boundaries are also important. You remain in control throughout the assessment and are informed of our steps at all times. You can define 'no gos' and stop individual actions.
- We respect ethical principles: Attacks on interpersonal levels are an absolute no-no for us, as is personal exposure of individual participants.
- Meeting to agree on the scope
- Kick-off meeting
- Workshop to define objectives and rules of the game
- Information research (HUMINT, OSINT, on-site inspection)
- Attack planning and preparation
- Execution of the attack with physical attacks and social engineering and hacking (if necessary)
- Regular status meetings
- Clear documentation of the attack path
- Replay workshop with the project team
- Management presentation
- Voice Phishing Calls (Vishing)
- Fake identity cards
- Infiltration of employees (via job applications)
- Lock Picking
- Dropbox with mobile internet (remote access/exfiltration)
- Screen Grabber
- prepared USB Sticks